The Evolved Packet System (EPS) is known by the brand name long term evolution (LTE) network. It comprises the E-UTRAN Radio Access network and the Evolved Packet Core (EPC). The 3rd generation partnership program (3GPP) is in the process of defining an enhancement to the evolved packet system that introduces so-called Relay Nodes (RNs) into the EPS architecture. An EPS architecture including RNs is also called a (EPS) Relay Node Architecture. A particular EPS Relay Node Architecture has been selected by 3GPP for further elaboration. This selected architecture is documented in 3GPP technical specification (TS) 36.806, cf. ftp://ftp.3gpp.org/Specs/html-info/36806.htm, where it is called “alternative 2”. Further documentation can be found in 3GPP TS 36.300, cf. ftp://ftp.3gpp.org/Specs/html-info/36300.htm. An overview of this architecture is depicted in FIG. 1, which is taken from 3GPP TS 36.300 v10.0.0 (FIG. 4.7.2-1), and is explained in the following:
An RN is a base station that relays traffic between a User Equipment (UE) and another base station (evolved NodeB, eNB), the donor base station (DeNB). Both the Uu interface between the UE and the RN and the Un interface between the RN and the DeNB are radio interfaces. Uu and Un are very similar. The Uu interface between a UE and an eNB in an EPS architecture without relay nodes is identical to an Uu interface between a UE and an RN, i.e. the UE is not aware of the presence of the RN.
An RN has two faces: towards the UE it acts as an eNB; and towards the DeNB it acts like a UE. The UE characteristics of an RN come into play in particular when the connections over the radio interface Un are established during the so-called RN start-up phase, cf. 3GPP document R2-102085, available at http://www.3gpp.org/ftp/tsg_ran/WG2_RL2/TSGR2_69bis/Docs/R2-102085.zip. The RN attaches to the network, and the radio bearers on Un between the RN and its DeNB are established in the same way in which a UE attaches to the network and establishes radio bearers over the Uu interface between the UE and an eNB.
Consequently, there is a mobility management entity (MME) that sees the RN in its role as a UE and is active in particular during the RN start-up phase. This MME is called the Relay UE's MME, or MME-RN for short. The MME-RN authenticates the RN during the start-up phase and usually interacts with the home subscriber server (HSS) for this purpose. The HSS contains the subscription data of the RN in its UE-role.
Like a proper UE, the RN also contains a universal subscriber identity module (USIM) on a universal integrated circuit card (UICC) to enable authentication. In order to distinguish this USIM from the ones inserted in a UE, it is called USIM-RN (not shown in FIG. 1). The security keys for protecting signaling and user plane on the Un interface and for protecting non-access stratum (NAS) signaling between RN and MME-RN may be derived as defined for EPS without relay nodes, or may be suitably modified.
The introduction of relay nodes into the EPS architecture creates new security challenges. The state of the security discussion in 3GPP in July 2010 can be found in 3GPP document S3-100896, available at http://www.3gpp.mobi/ftp/tsg_sa/WG3_Security/TSGS3_60_Montreal/Docs/
When a relay node (RN) attaches to the donor base station (DeNB) in the E-UTRAN, the Mobility Management Entity for Relay Nodes (MME-RN) in the EPC that controls the DeNB needs to verify whether the entity requesting to be attached belongs to the class of relay nodes and satisfies certain properties (attributes) required of a relay node, in particular the execution of certain RN-specific functions in a secure environment on the RN and the integrity of the RN platform (i.e. correctness of Hardware (HW) and Software (SW)).
However, the MME-RN according to the present technical specifications does not have the means to verify the required RN attributes directly.
As one way to solve this problem, one might enhance the functionality of the relevant network nodes, such as DeNB and MME-RN, with functionality enabling them to perform this verification of the attributes of the RN directly. Such a solution was published by 3GPP in document S3-100896, retrievable from http://www.3gpp.mobi/ftp/tsg_sa/WG3_Security/TSGS3_60_Montreal/Docs/. According to S3-100896, the DeNB and the MME-RN may be enhanced with specific functionality using certificates.
Another solution to the problem according to unpublished patent application PCT/EP2010/058749 enhances the solution in section 7.5 of S3-100896 in that the keys for protecting the access stratum on the Un interface are obtained from the USIM-RN via a secure channel.